Tagging is Not Just for Content

We all know what tags are in web terms, right? (If not, check out this Wikipedia article on the subject.) Tags are almost exclusively used to associate subject matter with content; you tag something like a photo or a blog post with a number of keywords that describe it, so that you can build semantic relationships — search criteria, content-by-subject lists, that kind of thing.

But it occurred to me that tagging can also be used as the basis of an authentication system. (To give props — I came up with this idea a while ago but I didn’t think of it in terms of tagging; it was Lachlan Hardy who made that connection for me.)

The idea is very simple: you create a system in which you define a number of tags that indicate permission groups, so you might have tags like guest, friend, moderator and me. Individual users also have one or more tags associated with their user account.

Then for each piece of content, you assign tags that indicate who’s allowed to see it — if a post is tagged me, moderator then only you and mods can see it. Or to put it more generally, whenever a permission tag for a piece of content and a permission tags for a user coincide, that user is allowed to see that content.

The real point here is that it’s infinitely extensible. You can define any number of tags — from tags that apply to everyone, right down to individual users — and create a user/permissions system that’s as granular as you need. (One of the problems with XFN is that it’s too broad — I can’t encompass all my personal relationships as friend or acquaintance.)

You could describe this as a kind of role-based authentication, and in those terms it’s not a new idea; you might also see it as inverted role-based authentication — instead of defining user groups that have attributes (such as the member groups in vBulletin), we’re defining attributes directly, and therefore bypassing the need to define groups. Either way, by putting it in terms of tagging it somehow seemed more interesting, and more relevant to modern web development practices.

And it makes me wonder — where else could we extend the idea of tagging, beyond its current uses? Let me know your thoughts in the comments.

Image credit: juandesant

Win an Annual Membership to Learnable,

SitePoint's Learning Platform

  • http://www.cemerson.co.uk Stormrider

    Sounds exactly the same as user groups to me, just with a different name…

  • MohamedA.

    I like your idea, it could very granular like your said.

    Gmail is using tags to simulate folders. I used this technique myself, and it really made my life easier.

  • http://autisticcuckoo.net/ AutisticCuckoo

    Hasn’t Unix had this for like 40 years? :)

  • http://www.hotgazpacho.com hotgazpacho

    This is NOT authentication. What you speak of is Authorization.

    Authentication is “Who are you?”
    Authorization is “What are you allowed to access?”

    What you describe does indeed sound like a form of RBAC, or Role-Based Access Control.

    Of course, to truly be useful, you need to define somewhere what each tag allows the user to do. Say both my account and an article are tagged with “me”. What does that mean? Can I see it? Can I comment on it? Can I edit it? What am I allowed to do with it? You’d really have to go into much greater breadth with the tags, like “me-view”, “me-edit”, “m-comment”, etc.

  • Eagle Eye

    Three questions:
    1. Can anyone tell me if there are any concerns regarding accessibility with tag clouds?
    2. How would a screen reader interpret the tags and in which order?
    3. Is it automatically placed in alphabetical order or in popularity order?

  • Greg Boutin

    Hi James,

    Your post came on my radar for tagging. Your idea is interesting. I devised a number of such tagging extensions, as part of a tagging concept I developed throughout 2007 called TagOver, and I am glad to see a chorus forming on the applicability of “extended tagging”.

    More recently, I’ve simplified and honed in on a core idea within my “grand” tagging theory, and started working on it with a back-end developer. You can see more about it at my blog post

    We are currently looking for a talented, hands-on web designer and front end developer to help out and potentially join the founding team. For now this is side voluntary work, to be turned into company ownership once we set it up. Should you know people skilled and interested in the topic, kindly send them our way.

    Thanks James, and I look forward to connecting further

  • http://www.czaries.net Czaries

    This really is role-based authentication. You are assuming that by using role-based authentication, one user can only ever have one role, which isn’t the case. There can very often be a one-to-many relationship between a user and the roles or groups to which they possess or are a member of (a user ‘has many’ roles/groups).

    You say that when using these tags “instead of defining user groups that have attributes … we’re defining attributes directly”, but you’re really not. Attributes need to describe exactly what the role/tag does and what the user is allowed to do with them. General tags like “moderator” and “me” will still need a subset of attributes like “view”, “edit”, “delete”, “owner”, etc. so the application can determine which actions the user can actually execute with the tags they have. So it’s really just a ‘has many’ role-based authentication setup with a different name.

  • Dan Dorman

    I agree that there’s not a whole lot new here from an authentication standpoint, but I think it’s a really cool idea from an interface point of view. It seems like an intuitive way to handle assigning multiple roles to users.

  • Pete

    Im not quite sure if this is a good idea or not…

    The way that i would implement permissions on a large site would be based around user groups and content categories eg. the admin department would have the permission to edit and create content within the ‘News’ category. With this approach, if the admin department needed to add products to the website for example, it would be easy to give them permission to do so.

    Within the system that you describe above, unless im missing something, you would have to go through all of content and re-tag it with the correct permissions.

  • Alex Galla

    Sounds the same as user groups to me, just with a different name.